Docket No. CISCO-2828 

Amendments to the Claims : 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

1. (Currently Amended) A method for isolating a plurality of ports sharing a single virtual 
local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices 
within a local area network, at least one device in the group not belonging to any other VLAN, 
the method comprising: 

configuring each of said plurality of ports by a user on said layer 2 switch as a protected 
port or a non-protected port; 

matching a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 

generating a forwarding map for said data packet based upon said destination address on 
said data packet; and 

sending said data packet to said plurality of ports pursuant to said forwarding map. 

2. (Original) The method of claim 1 wherein said generating step further comprises sending 
said data packet to each of said non-protected ports if said destination address is not matched 
with said physical address and said ingress port is a protected port. 

3. (Original) The method of claim 1 wherein said generating step further comprises sending 
said data packet to all of said plurality of ports if said destination address is not matched with 
said physical address and said ingress port is a non-protected port. 
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4. (Original) The method of claim 1 wherein said generating step further comprises allowing 
said data packet to be forwarded from one of said protected ports to each of said non-protected 
ports. 

5. (Original) The method of claim, 1 wherein said generating step further comprises 
allowing said data packet to be forwarded between each of said non-protected ports. 

6. (Original) The method of claim 1 wherein said generating step further comprises 
prohibiting said data packet to be forwarded between each of said protected ports. 

7. (Original) The method of claim 1 wherein said generating step further comprises 
allowing said data packet to be forwarded between one of said non-protected ports to each of said 
protected ports. 

8. (Currently Amended) A program storage device readable by a machine, tangibly 
embodying a program of instructions executable by the machine to perform a method for 
isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 
switch, wherein the single VLAN is a group of devices within a local area network, at least one 
device in the group not belonging to any other VLAN, said method comprising: 

configuring each of said plurality of ports by a user on said layer 2 switch as a protected 
port or a non-protected port; 

matching a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 
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generating a forwarding map for said data packet based upon said destination address on 
said data packet; and 

sending said data packet to said plurality of ports pursuant to said forwarding map. 

9. (Currently Amended) An apparatus for isolating a plurality of ports sharing a single 
virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of 
devices within a local area network, at least one device in the group not belonging to any other 
VLAN, the apparatus comprising: 

a port configurer to configure said plurality of ports as a protected port or a non-protected 

port; 

an address table memory storing an address table, said address table having a destination 
address and port number pair; 

a forwarding map generator generating a forwarding map; and 

said forwarding map responsive to a destination address of a data packet so that the data 
packet is forwarded either to a port number paired with the destination address in said forwarding 
table, or if not so paired, said data packet is forwarded to each of said non-protected ports on said 
switch if an ingress port is protected or if said ingress port is non-protected, said data packet is 
forwarded to all of said plurality of ports. 

10. (Original) The apparatus of claim 9 wherein said incoming packet is forwarded from one 
of said non-protected ports to other non-protected ports. 
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1 1 . (Original) The apparatus of claim 9 wherein said data packet is forwarded from one of 
said protected ports to each of said non-protected ports. 

12. (Original) The apparatus of claim 9 wherein said data packet is forwarded from one of 
said non-protected ports to each of said protected ports. 

13. (Currently Amended) An apparatus for isolating a plurality of ports sharing a single 
virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of 
devices within a local area network, at least one device in the group not belonging to any other 
VLAN, the apparatus comprising: 

means to configure each of said plurality of ports on said layer 2 switch as a protected or 
non-protected port; 

means to match a destination address on a data packet with a physical address on said 
layer 2 switch, said data packet received on an ingress port; 

means to generate a forwarding map for said data packet based upon said destination 
address on said data packet; and 

means to send said data packet to said plurality of ports pursuant to said forwarding map. 

14. (Original) The apparatus of claim 13 wherein said means to generate a forwarding map 
further comprises a means to forward said data packet to each of said non-protected ports if said 
destination address is not matched with said physical address and said ingress port is a protected 
port. 
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15. (Original) The apparatus of claim 13 wherein said means to generate a forwarding map 
further comprises a means to forward said data packet to all of said plurality of ports if said 
destination address is not matched with said physical address and said ingress port is a non- 
protected port. 

16. (Original) The apparatus of claim 13 wherein said means to generate a forwarding map 
further comprise^ a means to allow said data packet to be forwarded from one of said protected 
ports to each of said non-protected ports. 

17. (Original) The apparatus of claim 13 wherein said means to generate a forwarding map 
further comprises means to allow said data packet to be forwarded between each of said non- 
protected ports. 

18. (Original) The apparatus of claim 13 wherein said means to generate a forwarding map 
further comprises prohibiting said data packet to be forwarded between each of said protected 
ports. 

19. (Original) The apparatus of claim 13 wherein said means to generate a forwarding map 
further comprises allowing said data packet to be forwarded between one of said non-protected 
ports to each of said protected ports. 

20. (Currently Amended) A method for isolating a plurality of ports sharing a single virtual 
local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices 
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within a local area network, at least one device in the group not belonging to any other VLAN, 
the method comprising: 

maintaining a state for each of said plurality of ports on said layer 2 switch as a protected 
port or a non-protected port; 

matching a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 

generating a forwarding map for said data packet based upon said destination address on 
said data packet; and 

sending said data packet to said plurality of ports pursuant to said forwarding map. 

2 1 . (Original) The method of claim 20 wherein said generating step further comprises 
sending said data packet to each of said non-protected ports if said destination address is not 
matched with said physical address and said ingress port is a protected port. 

22. (Original) The method of claim 20 wherein said generating step further comprises 
sending said data packet to all of said plurality of ports if said destination address is not matched 
with said physical address and said ingress port is a non-protected port. 

23. (Original) The method of claim 20 wherein said generating step further comprises 
allowing said data packet to be forwarded from one of said protected ports to each of said non- 
protected ports. 
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24. (Original) The method of claim 20 wherein said generating step further comprises 
allowing said data packet to be forwarded between each of said non-protected ports. 

25. (Original) The method of claim 20 wherein said generating step further comprises 
prohibiting said data packet to be forwarded between each of said protected ports. 

26. (Original) The method of claim 20 wherein said generating step further comprises 
allowing said data packet to be forwarded between one of said non-protected ports to each of said 
protected ports. 

27. (Currently Amended) A program storage device readable by a machine, tangibly 
embodying a program of instructions executable by the machine to perform a method for 
isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 
switch, wherein the single VLAN is a group of devices within a local area network, at least one 
device in the group not belonging to any other VLAN, said method comprising: 

maintaining a state for each of said plurality of ports on said layer 2 switch as a protected 
port or a non-protected port; 

matching a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 

generating a forwarding map for said data packet based upon said destination address on 
said data packet; and 

sending said data packet to said plurality of ports pursuant to said forwarding map. 
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28 (Currently Amended) An apparatus for isolating a plurality of ports sharing a single 
virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of 
devices within a local area network, at least one device in the group not belonging to any other 
VLAN, the method comprising: 

means for maintaining a state for each of said plurality of ports on said layer 2 switch as a 
protected port or a non-protected port; 

means for matching a destination address on a data packet with a physical address on said 
layer 2 switch, said data packet received by ah ingress port; 

means for generating a forwarding map for said data packet based upon said destination 
address on said data packet; and 

means for sending said data packet to said plurality of ports pursuant to said forwarding 

map. 

29. (Previously Presented) The apparatus of claim 28 wherein said means for generating 
further comprises means for sending said data packet to each of said non-protected ports if said 
destination address is not matched with said physical address and said ingress port is a protected 
port. 

30. (Previously Presented) The apparatus of claim 28 wherein said means for generating 
further comprises means for sending said data packet to all of said plurality of ports if said 
destination address is not matched with said physical address and said ingress port is a non- 
protected port. 



9 



Docket No. CISCO-2828 

3 1 . (Previously Presented) The apparatus of claim 28 wherein said means for generating 
further comprises means for allowing said data packet to be forwarded from one of said protected 
ports to each of said non-protected ports. 

32. (Previously Presented) The apparatus of claim 28 wherein said means for generating 
further comprises means for allowing said data packet to be forwarded between each of said non- 
protected ports. 

33. (Previously Presented) The apparatus of claim 28 wherein said means for generating 
further comprises means for prohibiting said data packet to be forwarded between each of said 
protected ports. 

34. (Previously Presented) The apparatus of claim 28 wherein said means for generating 
further comprises means for allowing said data packet to be forwarded between one of said non- 
protected ports to each of said protected ports. 

35. (Currently Amended) An apparatus for isolating a plurality of ports sharing a single 
virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of 
devices within a local area network, at least one device in the group not belonging to any other 
VLAN. the apparatus comprising: 

a state maintenance module configured to maintain a state for each of said plurality of 
ports on said layer 2 switch as a protected port or a non-protected port; 
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a destination address matching module coupled to said state maintenance module and 
configured to match a destination address on a data packet with a physical address on said layer 2 
switch, said data packet received by an ingress port; 

a forwarding map generator coupled to said destination address matching module; arid 
a data packet sending module coupled to said forwarding map generator and configured 
to send said data packet to said plurality of ports pursuant to said forwarding map. 

36. (Previously Presented) The apparatus of claim 35 wherein said forwarding map generator 
is configured to send said data packet to each of said non-protected ports if said destination 
address is not matched with said physical address and said ingress port is a protected port. 

37. (Previously Presented) The apparatus of claim 35 wherein said forwarding map generator 
is configured to send said data packet to all of said plurality of ports if said destination address is 
not matched with said physical address and said ingress port is a non-protected port. 

38. (Previously Presented) The apparatus of claim 35 wherein said forwarding map generator 
is further configured to allow said data packet to be forwarded from one of said protected ports to 
each of said non-protected ports. 

39. (Previously Presented) The apparatus of claim 35 wherein said forwarding map generator 
is further configured to allow said data packet to be forwarded between each of said non- 
protected ports. 
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40. (Previously Presented) The apparatus of claim 35 wherein said forwarding map generator 
is further configured to prohibit said data packet to be forwarded between each of said protected 
ports. 

41. (Previously Presented) The apparatus of claim 35 wherein said forwarding map generator 
is further configured to allow said data packet to be forwarded between one of said non-protected 
ports to each of said protected ports. 
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